![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2014\/10\/ventir-trojan-mac-malware.jpg\")
<\/p>\n<\/p>\n
Mac malware researchers constantly encounter new malware samples and variants. In recent weeks, two notable malware families introduced new malware variants in their infection campaigns.<\/p>\n
Here’s what you should know regarding two recently updated Mac malware families: OSX\/WizardUpdate<\/strong> and OSX\/Bundlore<\/strong>.<\/p>\n It’s fairly rare that a piece of malware comes along just once and is then never heard from again. Some malware when first observed is a proof-of-concept (PoC) that later returns with more features, better obfuscation (self-hiding techniques), etc. Malware developers sometimes release their software out into the wild to see how it performs, then take that test data to make something that performs better.<\/p>\n OSX\/UpdateAgent is a piece of malware that was first spotted in November of 2020, and was a simple infostealer at the time. There have been a few variants since then with minor tweaks, but now UpdateAgent\u2014also known as WizardUpdate\u2014is back with a new bag of tricks.<\/p>\n The latest sample comes with several upgrades, including the ability to:<\/p>\n The evolution of the OSX\/WizardUpdate malware family. Image credit: Microsoft<\/a>.<\/p><\/div>\n The new variant, first reported on by Microsoft<\/a>, utilizes new ways to evade detection and persist on an infected system. Distributed as a drive-by installer (something that will pop up on random websites) the latest variant was found as a fake Flash Player installer.<\/p>\n After having been on its way out for years, Adobe Flash Player was discontinued in December 2020<\/a>. Browsers that had Flash Player built in removed the plugin, most websites that still served Flash content switched to HTML5 and other technologies, and Adobe even released a final “update” to Flash Player to prevent it from running.<\/p>\n But, unfortunately, a lot of people are still tricked by malicious popups and messages such as this:<\/p>\n The appearance of these fake Flash Player update messages vary. But to this day, they still seem to be very effective in getting users to download whatever “update” is offered to them. OSX\/WizardUpdate is one such “fake updater” Trojan horse.<\/p>\n Once installed on a system, OSX\/WizardUpdate removes all of the files, folders and other support files it created, and it hides itself in the user libraries where it creates and modifies .plist files to ensure it can persist after restarts and system migrations. It can do this thanks to the elevated privileges it received when a user typed in the administrator password required for installation.<\/p>\n Users can often be easily tricked into typing their password when installing what they believe to be legitimate software. This is why one should be very cautious about where their software comes from. Always<\/strong> try to download software from the App Store whenever possible, or directly from the Web site that you know for sure belongs to the actual developer. Never<\/strong> install software that a Web site or browser popup prompts you to download or install.<\/p>\n OSX\/WizardUpdate downloads additional payloads. One known payload, an OSX\/Adload variant, attempts to bypass the macOS Gatekeeper protection feature that’s supposed to flag downloads as potentially untrusted. By removing the quarantine flag on the payload files, the victim does not get a warning about the software being installed.<\/p>\n The behaviors of recent OSX\/WizardUpdate and OSX\/Adload samples. Image credit: Microsoft<\/a>.<\/p><\/div>\n The recently observed OSX\/Adload payload causes ads to be injected into whatever Web site the user visits. (Intego previously wrote about OSX\/Adload<\/a> back in August.) But the rapid growth in OSX\/WizardUpdate’s sophistication implies that it could potentially install anything it wants, whenever it wants. This makes OSX\/WizardUpdate a piece of malware that you definitely don’t want on your system.<\/span><\/p>\n Microsoft stated, “Given its history, this Trojan will likely continue to grow in sophistication.<\/span>” Thus, it’s important to stay protected by using active anti-malware protection, like Intego VirusBarrier X9 provides.<\/p>\n VirusBarrier detects WizardUpdate as OSX\/WizardUpdate.H<\/strong>, and the Adload payloads as OSX\/Adload.<\/strong><\/span><\/p>\n The OSX\/Bundlore malware dropper family has been around for many years. This malware consists of software installers that deceive users into thinking some legitimate software is being installed, while in fact malware is being installed instead. Alternatively, malware may be installed alongside the actual software.<\/p>\n Recently a new Bundlore variant was found<\/a> that poses as a Flash Player installer (surprise, surprise). The installer will load an invisible helper file, which in turn loads a shell script, which then downloads and executes Bundlore from a malicious domain, The whole process uses XOR to obfuscate it’s actions and movements. XOR (eX<\/strong>clusive OR<\/strong>) is popular way to hide data from untrained eyes, as the XORed data needs a key to be deciphered. Luckily, XOR is typically very easy to decipher\u2014although sometimes malware authors will double-cycle XOR the data which makes it harder to translate garbled data into readable text.<\/span><\/span><\/p>\n This Bundlore dropper uses such an approach, as documented by Confiant in the following screenshot (note all of the “xor” in the left column).<\/p>\n The latest OSX\/Bundlore variant uses XOR to obfuscate its code. Image credit: Confiant<\/a>.<\/p><\/div>\n The shell script that is decoded by the invisible helper file is also heavily obfuscated with XOR, but once the obfuscation is removed the data becomes readable and the script’s true intentions become known.<\/p>\n This OSX\/Bundlore variant downloads an additional payload from a malicious domain. Image credit: Confiant<\/a>.<\/p><\/div>\n This fake Flash Player was signed with the developer certificate “Tadarrius Rashard Campbell (B9L873SNL3)” <\/span>and notarized by Apple. Unfortunately, Apple often notarizes Mac malware<\/a>. Apple was notified when this discovery was made, and they promptly revoked the certificate associated with this account.<\/span><\/p>\n Of course, we can expect to see further variants that simply pivot to another Apple Developer ID instead.<\/p>\n When we last checked, the second-stage malware URL was pushing an OSX\/Pirrit spyware installer.<\/p>\n VirusBarrier detects this Bundlore variant as OSX\/Bundlore.BEa<\/strong> and the current next-stage malware as OSX\/Pirrit.clt<\/strong>.<\/p>\n Given that Apple’s threat mitigation features such as notarization, Gatekeeper, XProtect, and MRT do not block many types of threats, it is evident that Apple\u2019s own macOS protection methods are insufficient by themselves.<\/p>\nOSX\/WizardUpdate<\/h3>\n
\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/11\/WizardUpdateEvolution.jpg\")
<\/a>![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/02\/flash-out-of-date.jpeg\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/11\/WizardUpdateSteps.png\")
<\/a>OSX\/Bundlore<\/h3>\n
qaeqxa[.]pw<\/code>.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/11\/Bundlore-XOR.jpg\")
<\/a>![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/11\/Bundlore-XOR-1.jpg\")
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/11\/OSX-Pirrit-clt.png\")
<\/a><\/p>\nHow can one remove or prevent OSX\/WizardUpdate, OSX\/Bundlore, and other threats?<\/h3>\n